anonhaven
Ad

CVE-2026-25673

HIGH CVSS 3.1: 7.5 EPSS 0.12%
Updated Mar 03, 2026
Django
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions before 6.0.3
Type CWE-400 (Uncontrolled Resource Consumption (Неконтролируемое потребление ресурсов))
Vendor Django
Public PoC No

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
None
Нет модификации данных
Availability
High
Полный отказ в обслуживании

CVSS Vector v3.1

Weakness Type (CWE)

CWE-400 Uncontrolled Resource Consumption (Неконтролируемое потребление ресурсов)

References 3

https://docs.djangoproject.com/en/dev/releases/security/
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
https://groups.google.com/g/django-announce
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
https://www.djangoproject.com/weblog/2026/mar/03/security-releases/
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-30244

Django

7.5

CVE-2026-28223

Django

6.1

CVE-2026-28222

Django

6.1

CVE-2026-27982

Django

5.1

CVE-2026-25674

Django

3.7